[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: people.debian.org will move from ravel to paradis and become HTTPS only

]] Wouter Verhelst 

> AFAIK, people.debian.org does not allow running server-side HTTP scripts
> (and even if it does, I think that's a bad idea and we should disable it
> ASAP). As such, people.debian.org is not an interface for reading mail
> in your browser over HTTP, or doing IRC, or whatnot. So that argument
> simply doesn't apply.

There is no need for server-side HTTP scripts to run IRC in your
browser.  http://glowing-bear.github.io/glowing-bear/ talks to weechat,
for instance.

> Instead, people.d.o is a place to allow downloads of files. Period.

That's not the only thing people use it for, though.  They use it for
hosting web pages, their blog and so on.

> > > Additionally, since debian.org uses DNSSEC, if you can somehow MITM
> > > people.debian.org then due to DANE you can MITM it for HTTP as well as
> > > HTTPS, so forcing HTTPS really doesn't gain you much.
> > 
> > Not many HTTP clients support DANE, unfortunately, and MITM-ing
> > DNSSEC-secured domains is a bit more effort than just MITM-ing a
> > plaintext HTTP connection.
> If you can MITM people.debian.org, you've already MITM'ed a
> DNSSEC-secured domain.

I see there's some confusion here.  I'm talking about a TCP level MITM
attack, not a DNS hijacking attack, which seems to be what you're
talking about.  Hijacking TCP is trivial and happens (intentionally and
by mistake) very, very often.

> > > > > Is there an actual attack vector that we're trying to protect against
> > > > > which requires us to disable plain HTTP, or is this just yet another
> > > > > instance of the bogus "HTTP is obsolete" idea?
> > > > 
> > > > There are lots of attack vectors.  It's not a response to a single
> > > > attack being exploited in the wild.
> > > 
> > > So name one?
> > 
> > To pick a random example off a web page:
> > http://ghantoos.org/2012/10/21/cocktail-of-pxe-debian-preseed-ipmi-puppet/
> > 
> >     wget http://people.debian.org/~dannf/add-firmware-to/add-firmware-to
> >     sed -i 's/lenny/wheezy/' add-firmware-to
> >     chmod +x add-firmware-to
> >     ./add-firmware-to initrd.gz initrd.nonfree.gz wheezy
> The problem here is not the idea that someone might MITM
> people.debian.org and provide something useless. The problem is a
> culture of people who run random code off the web without checking what
> it does.

That is also a problem, yes.  Using HTTP makes it worse than if it was
using HTTPS.

Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Reply to: